December 3, 2020

I had the pleasure to take part in the Cybersecurity panel discussion organized by Quaynote on opportunities in Superyachts which took place on the 2nd of December 2020, with Andrew Fitzmaurice, CEO of Templar Executives, and Mike Wills, Co-Founder and Chief Data Officer of CSS Platinum, William MacLachlan, Partner at HFW, Andrew Holme, Founder and CEO at Insignia Crew.

How can owners deal rapidly and discreetly in managing reputational damage, deal with breaches of privacy and misuse of private information; ethical issues, speak up programs, cyber risks legal rights and security occurring in the superyacht industry. Covid-19 has driven many owners to operate businesses for their yachts’ safety. Still, with several incidents over recent months resulting in highly publicized scandals surrounding yachts’ incidents, this panel explores ways of mitigating exposure for the parties involved.

What is the impact of the digitalization transformation that the yachting industry is undergoing?

What role does on-board cybersecurity play in preventing leaks of privacy?

What are whistleblowing lines, and how do these help crew members who feel disengaged, bullied, or witness unethical behavior, and how can they be implemented?

How do you deal with unwanted press intrusion, threats to publish untrue damaging material (both online and by publication in the Press), invasion of privacy, and misuse of private information?

As devices are becoming more and more connected, we’re experiencing an expansion of the attack surface, a phenomenon magnified by the COVID-19 crisis. The COVID crisis has accelerated the pace of digital transformation, which raises numerous challenges for Cybersecurity practitioners.  Simultaneously, attackers are becoming more sophisticated and can leverage powerful tools and artificial intelligence from an offensive perspective. Furthermore, the barriers to entry for hackers is going down. Hackers can get access on the Dark Web to even more advanced hacking tools at lower costs. The convergence of the attack surface expansion through a proliferation of connected devices and new ways of working remotely with a more sophisticated threat landscape creates a perfect storm.

Although technology is essential to address Cybersecurity challenges, the number one attack vector remains the people, and good cybersecurity hygiene starts with raising awareness and providing the right training to technical and non-technical personnel. In the people, process, and technology frameworks, it’s actually in that order—first, the people, then process, and technology. And to give cohesion to this framework, we should design effective policies to support the governance and enterprise risk management effort to ensure that policies are well designed and implemented. In this context, we need to think of Cybersecurity in terms of sustainability. By implementing ongoing and regular training and incorporating the knowledge into best practices, we can create, in a sustainable way, a security and compliance culture and progressively build resilience at every organizational level. As practitioners, we want to ensure confidentiality, integrity, availability, or business continuity while protecting users’ privacy according to applicable international laws and regulations.

We should then implement technology to support policy, processes, and people-related frameworks to realize a significant return on investment through increased automation and reduced pressure from being overloaded from alerts and increased capabilities around threat intelligence and predictive analytics. Good Cybersecurity makes it expensive for hackers to break into a system. Essentially, a good cybersecurity practice would turn a hacker’s business into a loss generating business. Implementing adequate safeguards, procedures, policies, and technologies would turn the cost of hacking higher than the derived revenues. Thus, we observe the unfolding of a cyber arms race and cat and mouse game between attackers and defenders.

We should also bear in mind that the definition of the perimeter has evolved. The information security industry focused on well-defined boundaries and concentrated on protecting these perimeters in the same way a moat would defend a castle. However, we are experiencing a paradigm shift in the corporate perimeter definition, which is becoming even more complex to scope considering the risk coming from third-parties, thus the advent of the Zero trust paradigm. We have to take into account both first and third-party risks. 45 to 75% of hacks and breaches originate from third parties. Connected systems and infrastructures such as yachts are part of a broader ecosystem, and having the right level of visibility on assets, their connected devices are essential. It is also crucial to measure the effectiveness of controls on assets and the entire estate.

Considering that attackers are using machine learning and AI for the most advanced attacks and APT (advanced persistent threats), we should take a layered and integrated approach that incorporates threat intelligence to increase the visibility, predictability of breaches. As such, we can then minimize the risk and time an attacker would first intrude into a system. And when it comes to protecting against threats that leverage Artificial Intelligence, it is sensible to use AI-based technology to defend against AI-engineered threats.

Artificial Intelligence can also considerably reduce alerts fatigue through automation and increase capabilities around predictive analytics. And this concept goes beyond Cybersecurity to also concern such domains as predictive maintenance engineering. With AI and connected sensors, we can predict with higher precision when a piece or a device is likely to fail, and when it should be replaced. And a yacht could be integrated into a SOC (Secure Operations Center) where crew members could be alerted in real-time of a cyber attack or intrusion.

Today, a yacht is part of a broader ecosystem. It is becoming a connected object, and as such, the perimeter has evolved. We can’t limit our approach to traditional defensive methods that focus on protecting the perimeter only. One needs to strengthen the resilience of the entire ecosystem, first, and third-party risk, and this starts with having the right visibility on assets.  Within that configuration and context, securing endpoints and providing a unifying framework on endpoint security management has become an essential part of a comprehensive Cybersecurity program.

Visibility on controls and assets is thus fundamental. We aim to provide visibility from the inside-out and visibility from the outside-in while measuring the controls’ effectiveness around people, processes, and technology. Ideally, we want to see what a hacker would see and then remediate the vulnerabilities we identify in a scalable way. Visibility also relates to threat intelligence capabilities that can enhance a technical team’s predictive analytics ability and take a more proactive stance to anticipate where threats are likely to come from.

And before deploying more sophisticated technologies, we should first make sure that we get the basics right. Following some fundamental security principles, such as network segregation, multi-factor authentication, or application whitelisting, can ensure a certain degree of resiliency and protection, and reduce the attack surface.

Rarely is there a silver bullet approach to Cybersecurity? By taking an integrated, layered, and defense-in-depth approach to securing connected objects as part of the entire ecosystem they belong to, we can build organizational cyber resiliency while addressing the human element through ongoing technical and awareness training sustainably.

By Jean Lehmann, CEO, Cyber Capital HQ

Subscribe

Your personal information is kept in accordance with our Privacy Notice